Take a risk assessment – I know everyone talks about risk, but the truth is how can you determine what are the issues if you don’t look at the potential risks. I suggest this is a big project and a great first step.

Identify all sensitive data that you collect and maintain

where is is stored (cloud, server, third party)?

how is is accessed (what types of remote devices access your date)?

are you allowing employees to access remotely?

what third parties have access to your data?

This is going to be a process. I’ll walk you through it over the next several weeks. But this first step will go a long way to get you started.